Professional Documents
Culture Documents
Security
Introduction
As a future information security professional, you must understand the scope of an organization’s
legal and ethical responsibilities. The information security professional plays an important role in
an organization’s approach to managing liability for privacy and security risks. In the modern
controversial societies of the world, sometimes laws are enforced in civil courts, where large
damages can be awarded to plaintiffs who bring suits against organizations. Sometimes these
damages are punitive—assessed as a deterrent. To minimize liability and reduce risks from
electronic and physical threats, and to reduce all losses from legal action, information security
practitioners must thoroughly understand the current legal environment, stay current with laws
and regulations, and watch for new and emerging issues. By educating the management and
employees of an organization on their legal and ethical obligations and the proper use of
information technology and information security, security professionals can help keep an
organization focused on its primary objectives
Types of Law
Civil law comprises a wide variety of laws that govern a nation or state and deal with the
relationships and conflicts between organizational entities and people.
Criminal law addresses activities and conduct harmful to society, and is actively enforced by the
state.
See Budapest convention for cybercrime and Kenya Cyber Crime Bill
International Laws and Legal Bodies
It is important for IT professionals and information security practitioners to realize that when their
organizations do business on the Internet, they do business globally. As a result, these professionals
must be sensitive to the laws and ethical values of many different cultures, societies, and countries.
While it may be impossible to please all of the people all of the time, dealing with the laws of other
states and nations is one area where it is certainly not easier to ask for forgiveness than for
permission.
Because of the political complexities of the relationships among nations and the differences in
culture, there are currently few international laws relating to privacy and information security. The
laws discussed below are important, but are limited in their enforceability. The American Society of
International Law is one example of an American institution that deals in international law (see
www.asil.org).
Case Study
A study published in 1999 examined computer use ethics of eight nations: Singapore, Hong Kong,
the United States, England, Australia, Sweden, Wales, and the Netherlands. This study selected a
number of computer-use vignettes (see the Offline titled The Use of Scenarios in Computer Ethics
Studies) and presented them to students in universities in these eight nations. This study did not
categorize or classify the responses as ethical or unethical. Instead, the responses only indicated a
degree of ethical sensitivity or knowledge about the performance of the individuals in the short
case studies.
The scenarios were grouped into three categories of ethical computer use: software license
infringement, illicit use, and misuse of corporate resources.
Software License Infringement
Among study participants, attitudes toward piracy were generally similar; however, participants
from the United States and the Netherlands showed statistically significant differences in attitudes
from the overall group. Participants from the United States were significantly less tolerant of piracy,
while those from the Netherlands were significantly more permissive. Although other studies have
reported that the Pacific Rim countries of Singapore and Hong Kong are hotbeds of software piracy,
this study found tolerance for copyright infringement in those countries to be moderate, as were
attitudes in England, Wales, Australia, and Sweden. This could mean that the individuals surveyed
understood what software license infringement was, but felt either that their use was not piracy, or
that their society permitted this piracy in some way. Peer pressure, the lack of legal disincentives,
the lack of punitive measures, and number of other reasons could a explain why users in these
alleged piracy centers disregarded intellectual property laws despite their professed attitudes
toward them. Even though participants from the Netherlands displayed a more permissive attitude
toward piracy, that country only ranked third in piracy rates of the nations surveyed in this study.
Illicit Use
The study respondents unilaterally condemned viruses, hacking, and other forms of system abuse.
There were, however, different degrees of tolerance for such activities among the groups. Students
from Singapore and Hong Kong proved to be significantly more tolerant than those from the United
States, Wales, England, and Australia. Students from Sweden and the Netherlands were also
significantly more tolerant than those from Wales and Australia, but significantly less tolerant than
those from Hong Kong. The low overall degree of tolerance for illicit system use may be a function
of the easy correspondence between the common crimes of breaking and entering, trespassing,
theft, and destruction of property and their computer-related counterparts.
● Intent—Criminal or unethical intent goes to the state of mind of the person performing the
act; it is often necessary to establish criminal intent to successfully prosecute offenders. Protecting
a system against those with intent to cause harm or damage is best accomplished by means of
technical controls, and vigorous litigation or prosecution if these controls fail.
Whatever the cause of illegal, immoral, or unethical behavior, one thing is certain: it is the
responsibility of information security personnel to do everything in their power to deter these acts
and to use policy, education and training, and technology to protect information and systems. Many
security professionals understand the technology aspect of protection but underestimate the value
of policy. However, laws and policies and their associated penalties only deter if three conditions
are present:
Fear of penalty—Potential offenders must fear the penalty. Threats of informal reprimand
or verbal warnings may not have the same impact as the threat of imprisonment or
forfeiture of pay.
Probability of being caught—Potential offenders must believe there is a strong possibility of
being caught. Penalties will not deter illegal or unethical behavior unless there is reasonable
fear of being caught.
Probability of penalty being administered—Potential offenders must believe that the
penalty will in fact be administered
The International Information Systems Security Certification Consortium, Inc. (ISC) (www.
isc2.org) is a nonprofit organization that focuses on the development and implementation of
information security certifications and credentials. The (ISC)2 manages a body of knowledge on
information security and administers and evaluates examinations for information security
certifications.
The code of ethics put forth by (ISC) is primarily designed for information security professionals
who have earned an (ISC) certification, and has four mandatory canons: “Protect society, the
commonwealth, and the infrastructure; act honorably, honestly, justly, responsibly, and legally;
provide diligent and competent service to principals; and advance and protect the profession. “This
code enables (ISC) to promote reliance on the ethicality and trustworthiness of the information
security professional as the guardian of information and systems.
The System Administration, Networking, and Security Institute (SANS) (www.sans.org), which
was founded in 1989, is a professional research and education cooperative organization with a
current membership of more than 156,000 security professionals, auditors, system administrators,
and network administrators. SANS offers a set of certifications called the Global Information
Assurance Certification, or GIAC. All GIAC-certified professionals are required to acknowledge that
certification and the privileges that come from it carry a corresponding obligation to uphold the
GIAC Code of Ethics. Those certificate holders that do not conform to this code face punishment, and
may lose GIAC certification.